Permission required to test voting machine security?

A county elections supervisor in Florida is fighting a state rule change that …

Florida has seen its fair share of election anomalies, and the shift to electronic voting machines was supposed to help the state make its election procedures more secure. After purchasing some Diebold machines for this purpose, Leon County decided to run a security test on them back in December, and found some serious vulnerabilities that altered the results of their mock election. Now, Leon County Election Supervisor Ion Sancho worries that the state wants to curtail people like him from performing such security testing.

"I don't, for the life of me, understand why they want to do something like this," Sancho said Saturday. "I have no problem with notifying them, but I don't think I need their approval."

Whether such a change is sinister of simply pragmatic probably depends on your point of view, but it does highlight the odd way that American elections are conducted. Most are implemented at the county level, meaning that even within a single state, many different systems can coexist. Some counties also conduct their own audits and testing of new systems, a remarkably inefficient approach. It's more common for a state body to oversee the testing, an approach that is more efficient but hardly free of controversy. Given how central voting is to our system of government, it's difficult to understand why these machines don't operate under more stringent guidelines and why there is comparatively little federal oversight.

It's certainly not because the machines are problem-free; a new report (PDF) from voter advocacy group Black Box Voter highlights several alleged security vulnerabilities in Diebold touchscreen machines (including the presence of an active MMC/SD card interface inside the machine). At this point, it hardly matters whether such problems have significantly altered any elections; enough people believe them to have done so that confidence in election results is being eroded.

Diebold, especially, has had a long history of problems. The CEO was a big Bush backer in the last election and promised to help Bush win Ohio—not the sort of public behavior calculated to win confidence in your company's election products. The company also suffered negative press when the source code to one of their machines was leaked onto the 'Net and was then analyzed by security researchers (who didn't like what they found). The state of California then went after the company for making fraudulent claims after an expensive voting machine rollout in that state failed to perform as expected (and it was later revealed that Diebold had installed updated, uncertified software on the machines before the election). North Carolina had their own problems with the company when the state demanded to see all the machine's source code; Diebold claimed that some of it couldn't be provided, since it lacked the license to distribute third-party code. Whether the company has any malicious intent or not, these episode certainly highlight the need for increased supervision at the federal or state level, where more resources are available to do proper testing.